match access-group (isa) - ciscoisa traffic classes allow subscriber session traffic to be...
TRANSCRIPT
-
match access-group (ISA)
61Cisco IOS Intelligent Service Architecture Command Reference
match access-group (ISA)To configure the match criteria for an Intelligent Service Architecture (ISA) traffic class map on the basis of the specified access control list (ACL), use the match access-group command in traffic class-map configuration mode. To remove ACL match criteria from a class map, use the no form of this command.
match access-group {input | output} {access-group | name access-group-name}
no match access-group {input | output} {access-group | name access-group-name}
Syntax Description
Command Default No match criteria are configured.
Command Modes Traffic class-map configuration
Command History
Usage Guidelines The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class. Packets satisfying the match criteria for a class constitute the traffic for that class.
To use the match access-group command for traffic classes, you must first enter the class-map type traffic command to specify the name of the traffic class whose match criteria you want to establish.
Once a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class, and the default class.
ISA traffic classes allow subscriber session traffic to be subclassified so that ISA features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features.
Examples The following example configures a class map called “acl144” and specifies the ACL numbered 144 to be used as the input match criterion for this class:
class-map type traffic match-any acl144 match access-group input 144
input Specifies match criteria for input traffic.
output Specifies match criteria for output traffic.
access-group A numbered ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. An ACL number can be a number from 1 to 2799.
name access-group-name A named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. The name can be a maximum of 40 alphanumeric characters
Release Modification
12.2(27)SBA This command was introduced.
-
match access-group (ISA)
62Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class-map type traffic Creates or modifies a traffic class map, which is used for matching packets to a specified ISA traffic class
class type traffic Specifies a named traffic class whose policy you want to create or change or specifies the default traffic class in order to configure its policy.
-
match access-list
63Cisco IOS Intelligent Service Architecture Command Reference
match access-listTo specify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the destination access-list command in portbundle configuration mode. To remove this specification, use the no form of this command.
match access-list access-list-number
no match access-list access-list-number
Syntax Description
Command Default The ISG port-maps all TCP traffic.
Command Modes IP portbundle configuration
Command History
Usage Guidelines You can use multiple entries of the match access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.
Examples In the following example, the ISG will port-map packets that are permitted by access list 100:
ip portbundlematch access-list 100source ip Ethernet0/0/0
!...!access-list 100 permit ip 10.0.0.0 0.255.255.255 host 70.13.6.100access-list 100 deny ip any any
Related Commands
access-list-number Integer from 100 to 199 that is the number or name of an extended access list.
Release Modification
12.2(27)SBA This command was introduced.
Command Description
ip portbundle (service) Enables the ISA Port-Bundle Host Key feature for a service.
show ip portbundle ip Displays information about a particular ISA port bundle.
show ip portbundle status
Displays information about ISA port-bundle groups.
-
match authen-status
64Cisco IOS Intelligent Service Architecture Command Reference
match authen-statusTo create a condition that will evaluate true if a subscriber’s authentication status matches the specified authentication status, use the match authen-status command in control class map configuration mode. To remove the condition, use the no form of this command.
match authen-status {authenticated | unauthenticated}
no match authen-status {authenticated | unauthenticated}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s authentication status matches the specified authentication status is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match authen-status command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.
class-map type type control match-all CONDAmatch authen-status unauthenticatedmatch timer TIMERA
policy-map type control RULEAclass type control always event session-start 1 set-timer TIMERA 1 [minutes]
!class type control CONDA event timed-policy-expiry1 service disconnect
authenticated Subscriber has been authenticated.
unauthenticated Subscriber has not been authenticated.
Release Modification
12.2(27)SBA This command was introduced.
-
match authen-status
65Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match authenticated-domain
66Cisco IOS Intelligent Service Architecture Command Reference
match authenticated-domainTo create a condition that will evaluate true if a subscriber’s authenticated domain matches the specified domain, use the match authenticated-domain command in control class map configuration mode. To remove the condition, use the no form of this command.
match authenticated-domain {domain-name | regexp regular-expression}
no match authenticated-domain
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s authenticated domain matches the specified domain is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match authenticated-domain command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example creates a control class map that will evaluate true if a subscriber’s domain matches the regular expression “.*com”.
class-map type control match-all MY-CONDITION1match authenticated-domain regexp ".*com"
domain-name Domain name.
regexp regular-expression
Regular expression to be matched against subscriber’s authenticated domain name.
Release Modification
12.2(27)SBA This command was introduced.
-
match authenticated-domain
67Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match authenticated-username
68Cisco IOS Intelligent Service Architecture Command Reference
match authenticated-usernameTo create a condition that will evaluate true if a subscriber’s authenticated username matches the specified username, use the match authenticated-username command in control class map configuration mode. To remove the condition, use the no form of this command.
match authenticated-username {username | regexp regular-expression}
no match authenticated-username {username | regexp regular-expression}
Syntax Description
Command Default A condition is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match authenticated-username command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match identifier authenticated-username regexp "user@.*com" match identifier authenticated-domain regexp ".*com" ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier authenticated-username
username Username
regexp regular-expression
Matches the regular expression against the subscriber’s authenticated username.
Release Modification
12.2(27)SBA This command was introduced.
-
match authenticated-username
69Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match dnis
70Cisco IOS Intelligent Service Architecture Command Reference
match dnisTo create a condition that will evaluate true if a subscriber’s Dialed Number Identification Service number (DNIS number, also referred to as called-party number) matches the specified DNIS, use the match dnis command in control class map configuration mode. To remove the condition, use the no form of this command.
match dnis {dnis | regexp regular- expression}
no match dnis {dnis | regexp regular- expression}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s DNIS number matches the specified DNIS is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match dnis command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match dnis reg-exp 5551212 ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier dnis!
dnis DNIS number.
regexp regular- expression Matches the regular expression against the subscriber’s DNIS number.
Release Modification
12.2(27)SBA This command was introduced.
-
match dnis
71Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match media
72Cisco IOS Intelligent Service Architecture Command Reference
match mediaTo create a condition that will evaluate true if a subscriber’s access media type matches the specified media type, use the match media command in control class map configuration mode. To remove the condition, use the no form of this command.
match media {async | atm | ether | ip | isdn | mpls | serial}
no match media {async | atm | ether | ip | isdn | mpls | serial}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s access media type matches the specified media type is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match media command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example configures a control class map that evalutes true for subscribers that enter the router through Ethernet interface slot 3.
class-map type control match-all MATCHING-USERSmatch media ethermatch nas-port type ether slot 3
async Asynchronous media.
atm ATM.
ether Ethernet.
ip IP.
isdn ISDN.
mpls Multiprotocol Label Switching (MPLS).
sync Serial.
Release Modification
12.2(27)SBA This command was introduced.
-
match media
73Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match mlp-negotiated
74Cisco IOS Intelligent Service Architecture Command Reference
match mlp-negotiatedTo create a condition that will evaluate true depending on whether or not a subscriber’s session was established using multilink PPP negotiation, use the match mlp-negotiated command in control class map configuration mode. To remove the condition, use the no form of this command.
match mlp-negotiated {no | yes}
no match mlp-negotiated {no | yes}
Syntax Description
Command Default A condition is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match mlp-negotiated command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows a control class map configured with the match mlp-negotiated command:
class-map type control match-all class3 match mlp-negotiated yes ! policy-map type control rule4 class type control class3 event session-start 1 authorize authenticated-username
Related Commands
no The subscriber’s session was not multilink PPP negotiated.
yes The subscriber’s session was multilink PPP negotiated.
Release Modification
12.2(27)SBA This command was introduced.
Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
-
match mlp-negotiated
75Cisco IOS Intelligent Service Architecture Command Reference
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match nas-port
76Cisco IOS Intelligent Service Architecture Command Reference
match nas-portTo create a condition that will evaluate true if a subscriber’s network access server (NAS) port identifier matches the specified value, use the match nas-port command in control class map configuration mode. To remove the condition, use the no form of this command.
match nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
no match nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s NAS port identifier matches the specified value is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match nas-port command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
adapter adapter-number Interface adapter number.
channel channel-number Interface channel number.
ipaddr ip-address IP address.
port port-number Port number.
shelf shelf-number Interface shelf number.
slot slot-number Slot number.
sub-interface sub-interface-number Subinterface number.
type interface-type Interface type.
vci vci-number Virtual channel identifier.
vlan vlan-id VLAN ID.
vpi vpi-number Virtual path identifier.
Release Modification
12.2(27)SBA This command was introduced.
-
match nas-port
77Cisco IOS Intelligent Service Architecture Command Reference
The class type control command is used to associate a control class map with a policy control map.
Examples The following example configures a control class map that evaluates true on PPPoE subscribers that enter the router through Ethernet interface slot 3.
class-map type control match-all MATCHING-USERSclass type control name NOT-ATMmatch media ethermatch nas-port type ether slot 3
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match no-username
78Cisco IOS Intelligent Service Architecture Command Reference
match no-usernameTo create a condition that will evaluate true if a subscriber’s username is available, use the match no-username command in control class map configuration mode. To remove the condition, use the no form of this command.
match no-username {no | yes}
no match no-username {no | yes}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s username is available is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match no-username command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows a control class map configured with the match no-username command:
class-map type control match-all class3 match no-username yes ! policy-map type control rule4 class type control class3 event session-start 1 service local
Related Commands
no The subscriber’s username is available.
yes The subscriber’s username is not available.
Release Modification
12.2(27)SBA This command was introduced.
Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
-
match no-username
79Cisco IOS Intelligent Service Architecture Command Reference
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match protocol
80Cisco IOS Intelligent Service Architecture Command Reference
match protocolTo create a condition that will evaluate true if a subscriber’s access protocol type matches the specified protocol type, use the match protocol command in control class map configuration mode. To remove the condition, use the no form of this command.
match protocol {atom | ip | pdsn | ppp | vpdn}
no match protocol {atom | ip | pdsn | ppp | vpdn}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s access protocol type matches the specified protocol type is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match protocol command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example creates a control class map that evaluates true if subcribers arrive from a VPDN tunnel:
class-map type control match-any MY-CONDITIONmatch protocol vpdn
atom Any Transport over MPLS (AToM).
ip IP.
pdsn Packet Data Serving Node (PDSN).
ppp Point-to-Point Protocol (PPP).
vpdn Virtual Private Dialup Network (VPDN).
Release Modification
12.2(27)SBA This command was introduced.
-
match protocol
81Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match service-name
82Cisco IOS Intelligent Service Architecture Command Reference
match service-nameTo create a condition that will evaluate true if the service name associated with a subscriber matches the specified service name, use the match service-name command in control class map configuration mode. To remove the condition, use the no form of this command.
match service-name {service-name | regexp regular-expression}
no service-name {service-name | regexp regular-expression}
Syntax Description
Command Default A condition that will evaluate true if the service name associated with a subscriber matches the specified service name is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match service-name command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example configures ISA to authenticate subscribers associated with the service before downloading the service:
aaa authentication login AUTHEN localaaa authorization network SERVICE group radius!class-map type control match-any MY-CONDITION2match service-name "gold"match service-name "bronze"match service-name "silver"
!policy-map type control MY-RULE2class type control MY-CONDITION2 event service-start1 authenticate aaa list AUTHEN
service-name Service name.
regexp regular-expression Regular expression to be matched against subscriber’s service name.
Release Modification
12.2(27)SBA This command was introduced.
-
match service-name
83Cisco IOS Intelligent Service Architecture Command Reference
2 service-policy type service aaa list SERVICE identifier service-name!service-policy type control MY-RULE2
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match source-ip-address
84Cisco IOS Intelligent Service Architecture Command Reference
match source-ip-addressTo create a condition that will evaluate true if a subscriber’s source IP address matches the specified IP address, use the match source-ip-address command in control class map configuration mode. To remove the condition, use the no form of this command.
match source-ip-address ip-address subnet-mask
no match source-ip-address ip-address subnet-mask
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s source IP address matches the specified IP address is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match source-ip-address command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match source-ip-address 10.0.0.0 255.255.255.0 !policy-map type control rule4 class type control class3 event session-start 1 authorize identifier source-ip-address!
ip-address IP address.
subnet-mask Subnet mask.
Release Modification
12.2(27)SBA This command was introduced.
-
match source-ip-address
85Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match timer
86Cisco IOS Intelligent Service Architecture Command Reference
match timerTo create a condition that will evaluate true when the specified timer expires, use the match timer command in control class map configuration mode. To remove the condition, use the no form of this command.
match timer {timer-name | regexp regular-expression}
no match timer {timer-name | regexp regular-expression}
Syntax Description
Command Default A condition that will evaluate true when the specified timer expires is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match timer command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.
class-map type control match-all CONDAmatch authen-status unauthenticatedmatch timer TIMERA
policy-map type control RULEAclass type control always event session-start 1 set-timer TIMERA 1
!class type control CONDA event timed-policy-expiry1 service disconnect
timer-name Name of the policy timer.
regexp regular-expression Regular expression to be matched against the timer name.
Release Modification
12.2(27)SBA This command was introduced.
-
match timer
87Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match tunnel-name
88Cisco IOS Intelligent Service Architecture Command Reference
match tunnel-nameTo create a condition that will evaluate true if a subscriber’s Virtual Private Dialup Network (VPDN) tunnel name matches the specified tunnel name, use the match tunnel-name command in control class map configuration mode. To remove the condition, use the no form of this command.
match tunnel-name {tunnel-name | regexp regular-expression}
no match tunnel-name {tunnel-name | regexp regular-expression}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s VPDN tunnel name matches the specified tunnel name is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match tunnel-name command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match tunnel-name LAC!policy-map type control rule4 class type control class3 event session-start 1 authorize identifier tunnel-name!
tunnel-name VPDN tunnel name.
regexp regular-expression Regular expression to be matched against the subscriber’s tunnel name.
Release Modification
12.2(27)SBA This command was introduced.
-
match tunnel-name
89Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match unauthenticated-domain
90Cisco IOS Intelligent Service Architecture Command Reference
match unauthenticated-domainTo create a condition that will evaluate true if a subscriber’s unauthenticated domain name matches the specified domain name, use the match unauthenticated-domain command in control class map configuration mode. To remove the condition, use the no form of this command.
match unauthenticated-domain {domain-name | regexp regular-expression}
no match unauthenticated-domain {domain-name | regexp regular-expression}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s unauthenticated domain name matches the specified domain name is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match unauthenticated-domain command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example configures a control class map that evaluates true for subscribers with the unauthenticated domain “abc.com”
class-map type control match-all MY-FORWARDED-USERS match unauthenticated-domain "xyz.com"
domain-name Domain name.
regexp regular-expression Regular expression to be matched against subscriber’s domain name.
Release Modification
12.2(27)SBA This command was introduced.
-
match unauthenticated-domain
91Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
match unauthenticated-username
92Cisco IOS Intelligent Service Architecture Command Reference
match unauthenticated-usernameTo create a condition that will evaluate true if a subscriber’s unauthenticated username matches the specified username, use the match unauthenticated-username command in control class map configuration mode. To remove the condition, use the no form of this command.
match unauthenticated-username {username | regexp regular-expression}
no match unauthenticated-username {username | regexp regular-expression}
Syntax Description
Command Default A condition that will evaluate true if a subscriber’s unauthenticated username matches the specified username is not created.
Command Modes Control class map configuration
Command History
Usage Guidelines The match unauthenticated-username command is used to configure a condition within an Intelligent Service Architecture (ISA) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match identifier unauthenticated-username regexp "user@.*com" ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier unauthenticated-username!
username Username.
regexp regular-expression Regular expression to be matched against the subscriber’s username.
Release Modification
12.2(27)SBA This command was introduced.
-
match unauthenticated-username
93Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
method-list
94Cisco IOS Intelligent Service Architecture Command Reference
method-listTo specify the authentication, authorization, and accounting (AAA) method list to which the Intelligent Service Gateway (ISG) will send prepaid accounting updates or prepaid authorization requests, use the method-list command in ISA prepaid configuration mode. To reset to the default value, use the no form of this command.
method-list {accounting | authorization} name-of-method-list
no method-list {accounting | authorization}name-of-method-list
Syntax Description
Command Default A method list is not specified.
Command Modes Prepaid configuration
Command History
Usage Guidelines The AAA method list that is specified by the method-list command must be configured by using the aaa accounting command. See the Cisco IOS Security Configuration Guide for information about configuring AAA method lists, server groups, and servers.
Examples The following example shows an ISA prepaid feature configuration in which a method list called “ap-mlist” is specified for prepaid accounting and the default method list is specified for prepaid authorization :
subscriber feature prepaid conf-prepaidinterim-interval 5threshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword cisco
accounting Specifies the AAA method list for ISA prepaid accounting.
authorization Specifies the AAA method list for ISA prepaid authorization.
name-of-method-list Name of the AAA method list to which ISA will send accounting updates or authorization requests.
Release Modification
12.2(27)SBA This command was introduced.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
-
method-list
95Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
aaa accounting Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.
prepaid config Enables prepaid billing for an ISA service and references a configuration of prepaid billing parameters.
subscriber feature prepaid
Creates or modifies a configuration of ISA prepaid billing parameters that can be referenced from a service policy map or service profile
-
password (ISA)
96Cisco IOS Intelligent Service Architecture Command Reference
password (ISA)To specify the password that the Intelligent Service Gateway (ISG) will use in authorization and reauthorization requests, use the password command in prepaid configuration mode. To reset the password to the default, use the no form of this command.
password password
no password password
Syntax Description
Command Default cisco
Command Modes Prepaid configuration
Command History
Examples The following example shows an Intelligent Service Architecture (ISA) prepaid feature configuration in which the password is “pword” :
subscriber feature prepaid conf-prepaidinterim-interval 5threshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword pword
Related Commands
password Password that the ISG will use in authorization and reauthorization requests.
Release Modification
12..2(27)SBA This command was introduced.
Command Description
prepaid config Enables prepaid billing for an ISA service and references a configuration of prepaid billing parameters.
subscriber feature prepaid
Creates or modifies a configuration of ISA prepaid billing parameters that can be referenced from a service policy map or service profile.
-
police (ISA)
97Cisco IOS Intelligent Service Architecture Command Reference
police (ISA)To configure ISA policing, use the police command in service policy-map class configuration mode. To disable upstream policing, use the no form of this command.
police {input | output} committed-rate [normal-burst excess-burst]
no police {input | output} committed-rate [normal-burst excess-burst]
Syntax Description
Command Default ISA policing is not enabled.
Command Modes Service policy-map class configuration
Command History
Usage Guidelines ISA policing supports policing of upstream and downstream traffic and can be applied to a session or a flow.
Session-based policing applies to the aggregate of subscriber traffic for a session.
Session-based policing parameters can be configured on a AAA server in either a user profile or a service profile that does not specify a traffic class. It can also be configured on the router in a service policy map by using the police command. Session-based policing parameters that are configured in a user profile take precedence over session-based policing parameters configured in a service profile or service policy map.
Flow-based policing applies only to the destination-based traffic flows that are specified by a traffic class.
input Specifies policing of upstream traffic, which is traffic flowing from the subscriber toward the network.
output Specifies policing of upstream traffic, which is traffic flowing from the network toward the subscriber.
committed-rate Amount of bandwidth, in bits per second, to which a subscriber is entitled. Range is from 8000 to 1000000000.
normal-burst (Optional) Normal burst size, in bytes. Range is from 1000-512000000. If the normal burst size is not specified, it is calculated from the committed rate using the following formula:
Normal burst = 1.5 * committed rate (scaled and converted to byte per msec)
excess-burst (Optional) Excess burst size, in bytes. Range is from 1000-512000000. If the excess burst is not specified, it is calculated from the normal burst value using the following formula:
Excess burst = 2 * normal burst
Release Modification
12.2(27)SBA This command was introduced.
-
police (ISA)
98Cisco IOS Intelligent Service Architecture Command Reference
Flow-based policing can be configured on a AAA server in a service profile that specifies a traffic class. It can also be configured on the router under a traffic class in a service policy map by using the police command. Flow-based policing and session-based policing can coexist and operate simultaneously on subscriber traffic.
Examples The following example shows the configuration of flow-based ISA policing in a service policy map:
class-map type traffic match-any C3match access-group in 103match access-group out 203
policy-map type service P3class type traffic C3police input 20000 30000 60000police output 21000 31500 63000
Related Commands Command Description
class type traffic Associates a previously configured traffic class to a service policy map.
policy-map type service Creates or modifies a service policy map, which is used to define an ISA service.
-
policy-map type control
99Cisco IOS Intelligent Service Architecture Command Reference
policy-map type controlTo create or modify a control policy map, which defines an Intelligent Service Architecture (ISA) control policy, use the policy-map type control command in global configuration mode. To delete the control policy map, use the no form of this command.
policy-map type control policy-map-name
no policy-map type control policy-map-name
Syntax Description
Command Default A control policy map is not created.
Command Modes Global configuration
Command History
Usage Guidelines Control policies define the actions that your system will take in response to specified events and conditions.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.
There are three steps involved in defining a control policy:
1. Create one or more control class maps, by using the class-map type control command.
2. Create a control policy map, using the policy-map type control command.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
3. Apply the control policy map to a context, using the service-policy type control command.
Examples The following example shows the configuration of a control policy map called “rule4.”Control policy map “rule4” contains one policy rule, which is the association of the control class “class3” with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.
class-map type control match-all class3match access-type pppoematch domain cisco.comavailable nas-port-id
!policy-map type control rule4
policy-map-name Name of the control policy map.
Release Modification
12.2(27)SBA This command was introduced.
-
policy-map type control
100Cisco IOS Intelligent Service Architecture Command Reference
class type control class3authorize nas-port-id
!service-policy type control rule4
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control Creates an ISA control class map.
service-policy type control
Applies a control policy to a context.
-
policy-map type service
101Cisco IOS Intelligent Service Architecture Command Reference
policy-map type serviceTo create or modify a service policy map, which is used to define an Intelligent Service Architecture (ISA) subscriber service, use the policy-map type service command in global configuration mode. To delete a service policy map, use the no form of this command.
policy-map type service policy-map-name
no policy-map type service policy-map-name
Syntax Description
Command Default A service policy map is not created.
Command Modes Global configuration
Command History
Usage Guidelines Use the policy-map type service command to create or modify an ISA service policy map. Service policy maps define ISA subscriber services.
An ISA service is a collection of policies that may be applied to a subscriber session. Services can be defined in service policy maps and service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type service command, and a service profile is configured on an external device, such as an authentication, authorization, and accounting (AAA) server.
Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network.
Examples The following example shows the configuration of a service policy map called “redirect-profile”:
policy-map type service redirect-profileclass type traffic CLASS-ALLredirect to group redirect-sg
Related Commands
policy-map-name Name of the service policy map.
Release Modification
12.2(27)SBA This command was introduced.
-
policy-map type service
102Cisco IOS Intelligent Service Architecture Command Reference
Command Description
class type traffic Specifies a named traffic class whose policy you want to create or change or specifies the default traffic class in order to configure its policy.
show policy-map type service
Displays the contents of all service policy maps.
-
port
103Cisco IOS Intelligent Service Architecture Command Reference
portTo specify the port on which an Intelligent Service Gateway (ISG) listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.
port port-number
no port port-number
Syntax Description
Command Default ISG listens on port 1700.
Command Modes Dynamic authorization local server configuration
Command History
Usage Guidelines An ISG can be configured to allow external policy servers to dynamically send policies to the ISG. This functionality is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer to peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which ISG will listen for requests from RADIUS clients.
Examples The following example specifies port 1650 as the port on which the ISG listens for RADIUS requests:
aaa server radius dynamic-authorclient 10.0.0.1port 1650
Related Commands
port-number Port number.
Release Modification
12.2(27)SBA This command was introduced.
Command Description
aaa server radius dynamic-author
Configures an ISG as a AAA server to facilitate interaction with an external policy server.
-
prepaid config
104Cisco IOS Intelligent Service Architecture Command Reference
prepaid configTo enable prepaid billing for an Intelligent Service Architecture (ISA) service and to reference a configuration of prepaid billing parameters, use the prepaid config command in service policy traffic class configuration mode. To disable prepaid billing for a service, use the no form of this command.
prepaid config {name-of-configuration | default}
no prepaid config {name-of-configuration | default}
Syntax Description
Command Default Prepaid billing is not enabled.
Command Modes Service policy traffic class configuration
Command History
Usage Guidelines ISA prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the authentication, authorization, and accounting (AAA) server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.
To create or modify a prepaid billing parameter configuration, use the subscriber feature prepaid command to enter prepaid configuration mode. A default prepaid configuration exists with the following parameters:
subscriber feature prepaid defaultthreshold time 0 secondsthreshold volume 0 bytesmethod-list authorization defaultmethod-list accounting defaultpassword cisco
The default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.
The parameters of named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.
name-of-configuration A named configuration of prepaid billing parameters.
default The default configuration of prepaid billing parameters.
Release Modification
12.2(27)SBA This command was introduced.
-
prepaid config
105Cisco IOS Intelligent Service Architecture Command Reference
Examples The following example shows prepaid billing enabled in a service called “mp3”. The prepaid billing parameters in the configuration “conf-prepaid” will be used for “mp3” prepaid sessions.
policy-map type service mp3class type traffic CLASS-ACL-101authentication method-list cp-mlistaccounting method-list cp-mlistprepaid config conf-prepaid
subscriber feature prepaid conf-prepaidthreshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword cisco
Related Commands Command Description
subscriber feature prepaid
Creates or modifies a configuration of ISA prepaid billing parameters that can be referenced from a service policy map or service profile.
-
redirect server-group
106Cisco IOS Intelligent Service Architecture Command Reference
redirect server-groupTo define a group of one or more servers that make up a named Intelligent Service Architecture (ISA) Layer 4 redirect server group, use the redirect server-group command in global configuration mode. To remove a redirect server group and any servers configured within that group, use the no form of this command.
redirect server-group group-name
no server-group group-name
Syntax Description
Command Default A redirect server group is not defined.
Command Modes Global configuration
Command History
Usage Guidelines Use the redirect server-group command to define and name an ISA Layer 4 redirect server group. Packets sent upstream from an unauthenticated subscriber can be forwarded to the server group, which will deal with the packets in a suitable manner, such as routing them to a logon page. You can also use server groups to handle requests from authorized subscribers who request access to services to which they are not logged in and for advertising captivation.
After defining a redirect server group with the redirect server-group command, identify individual servers for inclusion in the server group using the server command in Layer 4 redirect server group configuration mode.
Examples The following example shows the configuration of a server group called “PORTAL”:
redirect server-group PORTALserver ip 10.2.36.253 port 80
Related Commands
group-name Name of the server group.
Release Modification
12.2(27)SBA This command was introduced.
Command Description
redirect to (ISA) Redirects ISA Layer 4 traffic to a specified server or server group.
server Adds a server to an ISA Layer 4 redirect server group.
show redirect group Displays information about ISA Layer 4 redirect server groups.
show redirect translations
Displays information about the ISA Layer 4 redirect mappings for subscriber sessions.
-
redirect to (ISA)
107Cisco IOS Intelligent Service Architecture Command Reference
redirect to (ISA)To redirect Intelligent Service Architecture (ISA) Layer 4 traffic to a specified server or server group, use the redirect to command in interface configuration or service policy map class configuration mode. To disable redirection, use the no form of this command.
redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds [frequency seconds]]
no redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds [frequency seconds]]
Syntax Description
Command Default Subscriber Layer 4 traffic is not redirected.
Command Modes Interface configurationService policy-map class configuration
Command History
Usage Guidelines The ISA Layer 4 Redirect feature redirects specified Layer 4 subscriber packets to servers that handle the packets in a specified manner.
The Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:
• Permanent redirection—Specified traffic is redirected to the specified server all the time.
• Initial redirection—Specified traffic is redirected for a specific duration of time only, starting from when the feature is applied.
• Periodic redirection—Specified traffic is periodically redirected. The traffic is redirected for a specified duration of time. The redirection is then suspended for another specified duration. This cycle is repeated.
list access-list-number (Optional) Access list that specifies the traffic to be redirected.
group server-group-name
Server group to which traffic will be redirected.
ip ip-address IP address of the server to which traffic will be redirected.
port port-number (Optional) Port number on the server to which traffic will be redirected.
duration seconds (Optional) Amount of time, in seconds, for which traffic will be redirected, beginning with the first packet that gets redirected.
frequency seconds (Optional) Period of time, in seconds, between activations of redirection.
Release Modification
12.2(27)SBA This command was introduced.
-
redirect to (ISA)
108Cisco IOS Intelligent Service Architecture Command Reference
The ISA Layer 4 Redirect feature uses access lists to define which traffic will be redirected. Multiple access lists can be used to redirect packets to different server groups. Only the first packet of a TCP session must match the access list; subsequent packets for the session will be sent to the same server.
Examples Redirecting Layer 4 Traffic to a Server Group: ExamplesThe following example redirects Layer 4 traffic to the servers specified in server group “ADVT-SERVER”:
redirect to group ADVT-SERVER
The following example redirects traffic matching ACL 100 to the server group “ADVT-SERVER”
redirect list 100 to group ADVT-SERVER
Redirecting Layer 4 Traffic to a Specific IP Address: Examples
The following example configures ISA to redirect all traffic coming from the subscriber interface and matching ACL 100 to 9.2.36.253. The destination port is left unchanged, so traffic to 10.10.10.10 port 23 is redirected to 9.2.36.253 port 23, and traffic to 4.4.4.4 port 80 is redirected to 9.2.36.253 port 80
redirect list 100 to ip 9.2.36.253
The following example configures ISA to redirect all traffic coming from the subscriber interface and matching ACL 100 to 9.2.36.253 port 80:
redirect list 100 to ip 9.2.36.253 port 80
Initial Redirection: Example
The following example redirects all traffic to the servers configured in the server group “ADVT-SERVER” for the first 60 seconds of the session and then stops redirection for the rest of the lifetime of the session:
redirect to group ADVT-SERVER duration 60
Periodic Redirection: Example
The following example redirects all traffic to server group “ADVT-SERVER” for 60 seconds, every 3600 seconds. That is, the traffic will be redirected for 60 seconds, and subsequently the redirection is suspended for 3600 seconds, after which redirection resumes again for 60 seconds, and so on.
redirect to group ADVT-SERVER duration 60 frequency 3600
Interface Configuration: Example
The following example shows ISA Layer 4 redirection configured on Fast Ethernet interface 0/0.505:
interface FastEthernet0/0.505 encapsulation dot1Q 505 ip address 50.0.0.1 255.255.255.0 ip subscriberidentifier interface
redirect list 100 to group ADVT-SERVER duration 30 frequency 3600 no cdp enable!
-
redirect to (ISA)
109Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
redirect server-group Defines a group of one or more servers that make up a named ISA Layer 4 redirect server group.
server (ISA) Adds a server to an ISA Layer 4 redirect server group.
show redirect group Displays information about ISA Layer 4 redirect server groups.
show redirect translations
Displays information about the ISA Layer 4 redirect mappings for subscriber sessions.
-
server
110Cisco IOS Intelligent Service Architecture Command Reference
serverTo add a server to an Intelligent Service Architecture (ISA) Layer 4 redirect server group, use the server command in Layer 4 redirect server group configuration mode. To remove a server from a redirect server group, use the no form of this command.
server ip ip-address port port
no server ip ip-address port port
Syntax Description
Command Default A server is not added to the redirect server group.
Command Modes Layer 4 redirect server group configuration
Command History
Usage Guidelines Use the server command in Layer 4 redirect server group configuration mode to add a server, defined by its IP address and TCP port, to a redirect server group. The server command can be entered more than once to add multiple servers to the server group.
ISA Layer 4 redirection provides nonauthorized users with access to controlled services. Packets sent upstream from an unauthenticated user are forwarded to the server group, which deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services to which they are not logged in.
Examples The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a redirect server group named “ADVT-SERVER”:
redirect server-group ADVT-SERVER server ip 10.0.0.0 port 8080 server ip 10.1.2.3 port 8081
Related Commands
ip ip-address IP address of the server to be added to the redirect server group.
port port TCP port of the server to be added to the redirect server group.
Release Modification
12.2(27)SBA This command was introduced.
Command Description
redirect server-group Defines a group of one or more servers that make up a named ISA Layer 4 redirect server group.
redirect to (ISA) Redirects ISA Layer 4 traffic to a specified server or server group.
-
server
111Cisco IOS Intelligent Service Architecture Command Reference
show redirect group Displays information about ISA Layer 4 redirect server groups.
show redirect translations
Displays information about the ISA Layer 4 redirect mappings for subscriber sessions.
Command Description
-
server-key
112Cisco IOS Intelligent Service Architecture Command Reference
server-keyTo configure the RADIUS key to be shared between an Intelligent Service Gateway (ISG) and RADIUS clients, use the server-key command in dynamic authorization local server configuration mode. To remove this configuration, use the no form of this command.
server-key [0 | 7] word
no server-key [0 | 7] word
Syntax Description
Command Default A server key is not configured.
Command Modes Dynamic authorization local server configuration
Command History
Usage Guidelines An ISG can be configured to allow external policy servers to dynamically send policies to the ISG. This functionality is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer to peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server. Use the server-key command to configure the key to be shared between the ISG and RADIUS clients.
Examples The following example configures “cisco” as the shared server key:
aaa server radius dynamic-authorclient 10.0.0.1 server-key cisco
Related Commands
0 (Optional) Specifies that an unencrypted key will follow.7 (Optional) Specifies that a hidden key will follow
word Unencrypted server key.
Release Modification
12.2(27)SBA This command was introduced.
Command Description
aaa server radius dynamic-author
Configures an ISG as a AAA server to facilitate interaction with an external policy server.
-
service
113Cisco IOS Intelligent Service Architecture Command Reference
serviceTo specify a network service type for PPP sessions, use the service command in control policy map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number service {disconnect | local | vpdn}
no action-number service {disconnect | local | vpdn}
Syntax Description
Command Default Local termination
Command Modes Control policy map class configuration
Command History
Usage Guidelines The service command configures an action in a control policy map.
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Service Architecture (ISA) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
Examples The following example shows how configure ISA to locally terminate sessions for PPP subscribers:
policy-map type control MY-RULE1class type control MY-CONDITION2 event session-start1 service local
action-number Number of the action. Actions are executed sequentially within the policy rule.
disconnect Disconnect the session.
local Locally terminate the session.
VPDN Virtual Private Dialup Network (VPDN) tunnel service.
Release Modification
12.2(27)SBA This command was introduced.
-
service
114Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
service deny (service policy-map)
115Cisco IOS Intelligent Service Architecture Command Reference
service deny (service policy-map)To deny network service to the subscriber session, use the service deny command in service policy-map configuration mode. To remove the configuration, use the no form of this command.
service deny
no service deny
Syntax Description The command has no arguments or keywords.
Command Default Service is not denied to the session.
Command Modes Service policy-map configuration
Command History
Usage Guidelines The service deny command denies network service to subscriber sessions that use the service policy map.
Examples The following example denies service to subscriber sessions that use the service called “service1”:
policy-map type service service1service deny
Related Commands
Release Modification
12.2(27)SBA This command was introduced.
Command Description
policy-map type service
Creates or modifies a service policy map, which is used to define an ISA subscriber service.
-
service local (service policy-map)
116Cisco IOS Intelligent Service Architecture Command Reference
service local (service policy-map)To specify local termination service in an Intelligent Service Architecture (ISA) service policy map, use the service local command in service policy map configuration mode. To remove the service, use the no form of this command.
service local
no service local
Syntax Description This command has no arguments or keywords.
Command Default Local termination service is not specified.
Command Modes Service policy map configuration
Command History
Usage Guidelines The service local command is used to configure local termination service in a service policy map defined with the policy-map type service command.
When you configure the service local command in a service policy map, you can also use the ip vrf forwarding command to specify the routing domain in which to terminate the session. If you do not specify the routing domain, the global virtual routing and forwarding instance (VRF) will be used.
Examples The following example provides local termination service to subscriber sessions for which the “my_service” service policy map is activated:
!policy-map type service my_serviceservice local
Related Commands
Release Modification
12.2(27)SBA This command was introduced.
Command Description
ip vrf forwarding (service policy map)
Associates the service with a VRF.
service vpdn group Provides VPDN service.
policy-map type service Creates or modifies a service policy map, which is used to define an ISA service.
vpdn-group Associates a VPDN group with a customer or VPDN profile.
-
service-policy type control
117Cisco IOS Intelligent Service Architecture Command Reference
service-policy type controlTo apply a control policy to a context, use the service-policy type control command in the appropriate configuration mode. To unapply the control policy, use the no form of this command.
service-policy type control policy-map-name
no service-policy type control policy-map-name
Syntax Description
Command Default A control policy is not applied to a context.
Command Modes Global configurationInterface configurationSubinterface configurationVirtual template configurationATM VC class configurationATM VC configuration
Command History
Usage Guidelines A control policy map must be activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts:
1. Global
2. Interface
3. Subinterface
4. Virtual template
5. VC class
6. PVC
In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.
Control policies apply to all sessions hosted on the context.
Only one control policy map may be applied to a given context.
policy-map-name Name of the control policy map.
Release Modification
12.2(27)SBA This command was introduced.
-
service-policy type control
118Cisco IOS Intelligent Service Architecture Command Reference
Examples The following example applies the control policy map “RULEA” to Ethernet interface 0:
interface Ethernet 0service-policy type control RULEA
Related Commands Command Description
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
service-policy type service
119Cisco IOS Intelligent Service Architecture Command Reference
service-policy type service To activate an Intelligent Service Architecture (ISA) service, use the service-policy type service command in control policy map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}
no action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}
Syntax Description
Command Default A service is not activated.
Command Modes Control policy map class configuration
Command History
Usage Guidelines The service-policy type service command configures an action in a control policy map. If you do not specify the AAA method list, the default method list will be used.
action-number Number of the action. Actions are executed sequentially within the policy rule.
unapply Deactivates the specified service.
aaa list list-name (Optional) Activates the service using the specified authentication, authorization, and accounting (AAA) method list.
name service-name Name of the service.
identifier Activates a service that has the same name as the specified identifier.
authenticated-domain Authenticated domain name.
authenticated-username
Authenticated username.
dnis Dialed Number Identification Service number (also referred to as the called-party number).
nas-port Network access server (NAS) port identifier.
tunnel-name VPDN tunnel name.
unauthenticated-domain
Unauthenticated domain name.
unauthenticated-username
Unauthenticated username.
Release Modification
12.2(27)SBA This command was introduced.
-
service-policy type service
120Cisco IOS Intelligent Service Architecture Command Reference
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an ISA control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
Services are configured in service profiles on the AAA server or in service policy maps on the router.
Examples The following example configures an ISA control policy that will initiate authentication of the subscriber and then apply a service that has a name matching the subscriber’s authenticated domain name:
policy-map type control MY-RULE2class type control MY-CONDITION2 event service-start1 authenticate aaa list AUTHEN2 service-policy type service aaa list SERVICE identifier authenticated-domain
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
policy-map type service
Creates or modifies a service policy map, which is used to define an ISA subscriber service.
-
service relay (service policy-map)
121Cisco IOS Intelligent Service Architecture Command Reference
service relay (service policy-map)To enable relay of PPPoE Active Discovery (PAD) messages over a Layer 2 Tunnel Protocol (L2TP) tunnel for a subscriber session, use the service relay command in service policy-map configuration mode. To disable message relay, use the no form of this command.
service relay pppoe vpdn group vpdn-group-name
no service relay pppoe vpdn group vpdn-group-name
Syntax Description
Command Default Relay of PAD messages over an L2TP tunnel is not enabled.
Command Modes Service policy-map configuration
Command History
Usage Guidelines The service relay command is configured as part of a service policy-map.
Examples The following example configures sessions that use the service policy-map “service1” to contain outgoing tunnel information for the relay of PAD messages over an L2TP tunnel:
policy-map type service service relay pppoe vpdn group Sample1.net
Related Commands
pppoe Provides relay service using PPP over Ethernet (PPPoE) using a virtual private dialup network (VPDN) L2TP tunnel for the relay.
vpdn group vpdn-group-name Provides VPDN service by obtaining the configuration from a predefined VPDN group.
Release Modification
12.2(27)SBA This command was introduced.
Command Description
policy-map type service
Creates or modifies a service policy map, which is used to define an ISA subscriber service.
-
service vpdn group (service policy-map)
122Cisco IOS Intelligent Service Architecture Command Reference
service vpdn group (service policy-map)To provide virtual private dialup network (VPDN) service for Intelligent Service Architecture (ISA) subscriber sessions, use the service vpdn group command in service policy-map configuration mode. To remove VPDN service, use the no form of this command.
service vpdn group vpdn-group-name
no service vpdn group vpdn-group-name
Syntax Description
Command Default VPDN service is not provided for ISA subscriber sessions.
Command Modes Service policy map configuration
Command History
Usage Guidelines The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group.
A service configured with the service vpdn group command (or corresponding RADIUS attribute) is a primary service.
Examples The following example provides VPDN service to sessions that use the service called “service” and uses VPDN group 1 to obtain VPDN configuration information:
policy-map type service service1service vpdn group 1
Related Commands
vpdn-group-name Provides the VPDN service by obtaining the configuration from a predefined VPDN group.
Release Modification
12.2(27)SB This command was introduced.
Command Description
policy-map type service
Creates or modifies a service policy map, which is used to define an ISA subscriber service.
-
set-timer
123Cisco IOS Intelligent Service Architecture Command Reference
set-timerTo start a named policy timer, use the set-timer command in control policy map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number set-timer name-of-timer minutes
no action-number set-timer name-of-timer minutes
Syntax Description
Command Default A named policy timer is not started.
Command Modes Control policy map class configuration
Command History
Usage Guidelines The set-timer command configures an action in a control policy map.
Expiration of a named policy timer generates the timed-policy-expiry event.
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an ISA control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
Examples The following example configures a policy timer called “TIMERA”. When TIMERA expires the service will be disconnected.
class-map type control match-all CONDEmatch timer TIMERA
policy-map type type control RULEAclass type control event session-start1 set-timer TIMERA 1
class type control CONDE event timed-policy-expiry1 service disconnect
action-number Number of the action. Actions are executed sequentially within the policy rule.
name-of-timer Name of the policy timer.
minutes Timer interval, in minutes. Range is from 1 to 10100.
Release Modification
12.2(27)SBA This command was introduced.
-
set-timer
124Cisco IOS Intelligent Service Architecture Command Reference
Related Commands Command Description
class type control Specifies a control class for which actions may be configured in an ISA control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISA control policy.
-
sg-service-group
125Cisco IOS Intelligent Service Architecture Command Reference
sg-service-groupTo associate an Intelligent Service Architecture (ISA) service with a service group, use the sg-service-group command in service policy-map configuration mode. To remove the association, use the no form of this command.
sg-service-group service-group-name
no sg-service-group service-group-name
Syntax Description
Command Default The service is not part of a service group.
Command Modes Service policy-map configuration
Command History
Usage Guidelines A service group is a grouping of services that may be active simultaneously for a given session. Typically, a service group includes one primary service and one or more secondary services.
Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active. Once a primary service has been activated, any other services that reference the same group may also be activated. Services that belong to other groups, however, can be activated only if they are primary. If a primary service from another service group is activated, all services in the current service-group will also be deactivated because they have a dependency on the previous primary service.
Examples The following example associates the service called “prima